Why have many internal audit (IA) functions failed to drive the type of value stakeholders expect? The question provokes varying responses. Assertions that IA frequently raises in its defense are:
- Voids in competencies
- Hiring challenges
- Budgetary constraints
- Inability to effectively leverage tools and technologies
These and various other challenges are problematic and can prevent the IA function from becoming a value-generating corporate partner. A contributing factor for many IA functions is its reluctance to address “indiscernible” threats. Indiscernible threats are not indeterminate in the order of black swans (an extremely rare and unpredictable event beyond what can be anticipated and planned for) or gray rhinos (a rare, yet predictable event with a high impact that can be planned for). An indiscernible threat is best characterized as a known threat that may impact the organization, but due to lack of understanding, IA excludes it from its audit scope. In general, IA elects to forgo further analysis of the threat, instead defaulting to known and familiar areas of coverage. When an indiscernible threat becomes an event, this frequently gives rise to a common criticism from audit committees and others: “Where was internal audit, and why was this threat ignored?”
Why are such threats overlooked or ignored? It is the human psyche’s natural tendency to gravitate to the known and understood. Our predisposition to do such conflicts with several core competencies that are essential to be an effective internal auditor: curiosity, unbiased analysis, critical thinking and skepticism. The avoidance of indiscernible threats is akin to the legal doctrine “willful blindness,” which is defined as suspicion arising to the point where one sees the need for further inquiries, but deliberately chooses not to make those inquiries.1 Willful blindness has also been described as the state of “deliberate ignorance” of a certain fact.2
Many threats that previously fell into the indiscernible threat category are now periodically assessed and monitored. This is typically the result of a threat materializing into an event of significance (whether internally or externally) and an organization recognizing that it also has exposure to such a threat. It can be argued that the threat of a cyberbreach was once an indiscernible threat to many IA functions prior to the Target breach and other well-publicized cyberattack headlines. Shortly following those events, IA functions universally incorporated cyberattacks into their risk registers and assessments. Was the existence of this type of threat unknown or was it indiscernible to the IA practitioners? The same can be said for threats arising from privacy, corporate culture, social media, etc.
It can be argued that the threat of a cyberbreach was once an indiscernible threat to many IA functions prior to the Target breach and other well-publicized cyberattack headlines.
Regarding these types of threats, IA had conceptual awareness but lacked the depth of understanding to properly evaluate (figure 1) and conclude on the risk scenarios they presented to the organization. Consequently, there was a measurable time lag in elevating these threats and measuring their potential impacts. Is the onset of 5G and its disruptive impact an indiscernible threat at present? Has it been incorporated into risk assessments? Have we acquired the expertise needed to assess the threat this technology may have on the organization?
Figure 1—Steps to Evaluating Threats
Being proactive in capturing and evaluating indiscernible threats is the type of value proposition boards and stakeholders seek from IA. It requires IA practitioners to acquire the necessary knowledge to understand and assess these existing threats and place them in the proper context (unmasking the threats) to effectively advise boards and management on their potential impacts. It is the practice of accessing available sources of threat intelligence (both internal and external sources). To be effective at threat intelligence gathering requires continuous research and analysis of trends and developments to gain an understanding and awareness of potential threat events and related threat actors.
Recent events have taught us that we cannot afford to disregard indiscernible threats. They can no longer be left on the periphery. Indiscernible threats should be a prominent consideration if IA is to exceed stakeholder expectations. Failure to dedicate the needed resources to unmask and assess these threats leaves both the organization and IA exposed.
Donald R. Owens, CBA, CFE, CFF, CFSA, CIA, CITP, CPA, CRMA
Is founder and principal at PFRM Solutions, a risk management consulting firm that assists organizations in assessing and strengthening governance and risk management practices. He can be reached at dowens@pfrmsolutions.com.
Endnotes
1 Merriam-Webster Legal Dictionary, willful blindness
2 Sarch, A. F.; “Willful Ignorance, Culpability, and the Criminal Law,” St. John’s Law Review, vol. 88, no. 4, Winter 2014